19
Dec
10

I Must Have Struck A Nerve

My last post on the PCI SSC backing off on certifying mobile payment applications sure got a lot of people in touch with me.  As a result, I would like to recap my discussions with them so that the rest of the readership can be up to speed on this topic.

Like the term “cloud computing,” “mobile payment” means a lot of different things to people.  For most people, a mobile payment refers to the use of a cell phone, smart phone or personal digital assistant as the credit/debit card.  However, for a number of my more progressive merchant clients, a mobile payment refers to the use of a mobile, wireless device as a cash register.  This is one of the reasons why I believe that the PCI SSC has pulled back on certifying mobile payment applications.  The definition is becoming too broad and confusing thus creating too many issues to cover in a quick time.

Then there are the methods as to how these mobile payments are conducted.  From a consumer side, mobile payments can be done through RFID just like the contactless cards currently being deployed in the United States as well as using Bluetooth or Wi-Fi.  From a merchant perspective, there are a number of large merchants that are rolling out smart phones and PDAs with software to process payments over Wi-Fi and cellular.    All of these communication methods have risks associated with them.

Then there are the devices themselves that are involved regardless of whether you have the consumer or merchant view.  When you talk of cellular devices such as cell phones and smart phones, you open a Pandora’s Box of operating environments from proprietary to Windows and a number of others in between.  PDAs offer some common operating environments with their cellular brethren, but also bring some OSes of their own to the table.  All of these operating environments have their own idiosyncrasies when it comes to security or lack thereof.

Add into the mix the variety of proprietary and open development environments for each platform.  Then there is how applications get distributed.  Apple started the application marketplace approach and all the other mobile OS vendors are following their lead.  This all causes the issue of who makes sure that payment applications are certified?  Is it the developer or the marketplace?  Does the marketplace need to make sure that payment applications have been certified before they are allowed to be pushed out?  It is issues such as these that need to be discussed and addressed before the PCI SSC can issue guidance.  And these issues surrounding distribution are not simple ones.

Ultimately we are heading towards a payment environment where there is no card in the traditional sense.  I truly believe that a software algorithm will be developed that will generate secure, single use “codes” that are used to conduct transactions between consumers and merchants.  This algorithm will be similar to the Advanced Encryption Standard (AES) and will be platform independent and therefore can be run on any “intelligent” device.

In the end, I am sure all of this led the PCI SSC to want to take a step back rather than blindly charge ahead, issue a standard and then have to repeal or greatly modify the standard because of knowledge gained later.  Such an approach, while inconvenient to the rush of technology, should create a much more thoughtful approach.  So let us all be patient and let the Council do their work and get it right rather than issue something that ultimately is severely flawed.

About these ads

0 Responses to “I Must Have Struck A Nerve”



  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

December 2010
M T W T F S S
« Nov   Jan »
 12345
6789101112
13141516171819
20212223242526
2728293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 970 other followers


Follow

Get every new post delivered to your Inbox.

Join 970 other followers

%d bloggers like this: